L2 switch solution: filter rogue RAs in the switches, just like
filter rogue DHCPv4. you can detect potential RA sources by
MLD joins to ff02::2 (all-routers link local multicast addr).
CONS: you cannot protect victims within the same wireless
base station, for instance.

end node host firewall solution: at every node, look at the content
of RAs and reject them if they advertise prefixes like
fec0:0:0:xxxx::/64.
CONS: not widely deployable, can filter false positives

KAME rafixd: shoot down rogue RAs by announcing against those rogue
RAs with 0 prefix/router lifetime.
code
PROS: easy to deploy, maybe we should ship it with *BSD
CONS: need to take down the source of rogue RA anyways

SEND: secure neighbor discovery.
CONS: deployment cost is ultra super expensive.
It is very unlikely that you have access to an implementation.

From our experiences, my choice would be rafixd.

Note that the use of DHCPv6 is NOT a soultion, as you can see rogue DHCPv6
server/relay agent just like rogue RAs.